Links

Thursday, September 20, 2012

HERMES

As a follow up to yesterday's post I would like to talk a bit more about HERMES and how it works.

INITIAL KNOWLEDGE - First there there is some form of information that comes in indicating a potential attack. This information usually has some trackable piece of information such as an email address, subject line, content, an md5 sum, etc. This information usually comes in one of the following methods:

Law enforcement notification

Incident Response/forensics post compromise information

A detection system picks up an attack (rare)

Specialized sourcing (AR gathers targeted attack tools, malware and other indicators using a variety of means including IR and direct sharing)

What's special about the above is that HERMES uses your standard build image rather than a generic XP VM, the way maliciousness is determined, and some of the memory work we do. Also the fact that the AV scans (unlike sites such as VirusTotal, Jotti, etc.) do not submit your sensitive samples to AV vendors is fairly unique.

CORRELATION - Most organizations track incidents over time via a notebook, a wiki or most commonly a white board. HERMES allows you to identify relationships between attacks over time.

Incident Tracking

Analyst Notes

Actor/attribution Information

Relations between IOCs on different samples or cases

There are several ways in which HERMES is already benefiting our clients and options how it may benefit you:

HERMES can be delivered as an appliance to supplement or provide your reverse engineering and incident tracking operations

HERMES can be delivered as an ESXi implementation which can fit easily into your existing virtualized environment

Finally AR can provide organizations with HERMES targeted threat intel reporting or be operated by AR staff for you. Results can be provided as a XML feed, PDF, etc.

All of this information is fed into APTSim models to ensure that ongoing testing mirrors actual current targeted attack techniques and grows in sophistication over time in sync with the attackers. This information is also used to generate your IDS, AV, Splunk and other defensive signatures.

Rather than focusing on the entire set of malware, for which there are millions upon millions of samples, HERMES focuses on a handful of sophisticated, targeted attack tools which are in use over the last 30 days or less.

Most security tools are designed to deal with the 80% of attacks such as botnets, scans, mass malware, etc. But its the other 20% that you should care about because those are the ones that are intentionally (and successfully) damaging your business and that you have no defense against. This is something you can get your hands around with a tool like HERMES.

On the next post I will talk a bit more about APTSim and how it works.